Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28-10-2024 19:53
General
-
Target
0fbb8a353ed94e2a696c2fb72a9d5d1bcc24210bb8537a38fdf67cd60817a2db.exe
-
Size
1.5MB
-
MD5
0df291ae9e609cac23830f6de938b7cb
-
SHA1
c06389fb7b9f176c118ec7e95df56344b9e9a61b
-
SHA256
0fbb8a353ed94e2a696c2fb72a9d5d1bcc24210bb8537a38fdf67cd60817a2db
-
SHA512
d9918ba91ac67c3bb3e795e22c8f3ae67226ca119217d54a41724d9f0622765f99c609af192e78343bb1921c919b81322a58f449061b1167dc85d3c22088adea
-
SSDEEP
24576:9bfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:5Ei6GDAQORcwW5/oBjme81
Malware Config
Signatures
-
DcRat 14 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fbb8a353ed94e2a696c2fb72a9d5d1bcc24210bb8537a38fdf67cd60817a2db.exe"C:\Users\Admin\AppData\Local\Temp\0fbb8a353ed94e2a696c2fb72a9d5d1bcc24210bb8537a38fdf67cd60817a2db.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0fbb8a353ed94e2a696c2fb72a9d5d1bcc24210bb8537a38fdf67cd60817a2db.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBNXXH4ecd.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Google\Update\Install\Idle.exe"C:\Program Files (x86)\Google\Update\Install\Idle.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a938a83-5b14-4238-a7ff-6f1c7968be0d.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Google\Update\Install\Idle.exe"C:\Program Files (x86)\Google\Update\Install\Idle.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b45b324-2c6b-4fe7-ab3e-ab7aa24982a4.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "rUGDwininit" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "oBobwininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "iaGzwininit" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WpfjWmiPrvSE" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fvYFWmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AJL2WmiPrvSE" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "rW9EIdle" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Install\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1YTTIdle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "J54tIdle" /sc ONSTART /tr "'C:\Program Files (x86)\Google\Update\Install\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Install\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD529e9d6d2065d9917b72bb3fddd81e974
SHA1586f2a635fc05a05706a3afc347176b972ff9d11
SHA25600e42bc7b0789f5f50288ab1700bd981867b7d8a3ee3183340db320841090f9c
SHA512b1e7c83ba9d31b1e126e59b297026c582ae9ac7c7100e66ca28d9068e6a4582ba84e9891d10e07b2bf853b004a464e9885f78e445a35b33afab55fbda80cdf0f
-
Filesize
1.5MB
MD50df291ae9e609cac23830f6de938b7cb
SHA1c06389fb7b9f176c118ec7e95df56344b9e9a61b
SHA2560fbb8a353ed94e2a696c2fb72a9d5d1bcc24210bb8537a38fdf67cd60817a2db
SHA512d9918ba91ac67c3bb3e795e22c8f3ae67226ca119217d54a41724d9f0622765f99c609af192e78343bb1921c919b81322a58f449061b1167dc85d3c22088adea
-
Filesize
729B
MD56d9793d4df5b1f5e26ed3b3e23fcfaee
SHA1bcc29f0d7b8554ac9a21023d7701698c80e8249c
SHA256ee69558df0f9e90fb3e957eb5fbaac25108a003876d2a0af451a14d0cb3f2117
SHA5123da87f5b68e45e0f59bb8b2595ffe13df4eef43213a1e33eadb5e60be645c2e05a79a4eca8df22cfe2d0d81c3da091a7df0b4be2a5a473d3f5eb78bcd62c536f
-
Filesize
505B
MD504922154a5f03e34ad1b5b84ab4f8d41
SHA15ae2b099ed6f2a59e5fa304bc7ba33f2c7df24c5
SHA2569314f28603124a489e4e4fff4b56c690bd778b30d2234d997691ec93e8d87d24
SHA51201c3751e5cc14cfc76912a784c1775c2c209e19aa0d8d910ee5e2748e539de0ab2f90b1b73028b0d38bb1af778476c440f71da5059c6a036416203b9324cb339
-
Filesize
217B
MD582612ca468303e30fea35c81d5470eba
SHA1cf2b0dcabb5843e6c723d2fcfdcfca88b54060d5
SHA256bef4c1c7ad878f394c9432320e2fba6811e160fcf5e965166f1cae1394f6c7e8
SHA51209c4115f41cbd7cd9d4cd5d26a0e993911f3056ea498c84c9557507e8e392ea3be6b8aa44508d96ab06a50f8d445e658bab6e35c2a15d3bcc990f7e252504cf7
-
Filesize
7KB
MD557674f1293da4bbab1b4c84f9d3eb398
SHA1c774d50f46a275897ea5e20d0cd4af9c48d1d668
SHA25698ed6251eff9a1f950e2ffddcc363652574ac9163f4ce536425a4fd8b52f30f3
SHA512a6c45f06aebf2f50f8107f87432785fb6bdfc3e6e43afe73e654118110f1353570a852ea79af82f77d86432863b7ebbf95988da45a792228401cbb31c49d98d7
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
72KB
-
Filesize
1.5MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
1.5MB